Carrier IQ Smartphone ‘Spyware’ No Threat to Privacy, Experts Say

Below:

Next story in Security

This story was updated at 11:15 a.m. ET Friday with excerpts
from a statement by the Carrier IQ company.

A YouTube video that shows hidden smartphone software called
Carrier IQ logging keystrokes and text messages has sent the
security and privacy communities into a frenzy, and drawn concern
from Capitol Hill. But a researcher versed in the software says
people are overreacting.

The
video in question was made by Trevor Eckhart, a Connecticut
systems administrator, and shows how Carrier IQ records his
keystrokes and encrypted Web searches.

Rosenberg told SecurityNewsDaily that he's been working on
reverse-engineering the Carrier IQ software for the past few
weeks. Although he has not "exhaustively covered it," he's "seen
no evidence that they're recording keystrokes."

Carrier IQ's marketing communications representative, Mira Woods,
directed SecurityNewsDaily to the company's media alert, which
explains that Carrier IQ only collects data used to "improve the
quality of the network, understand device issues and ultimately
improve the user experience," and that the company does not
employ any tools to record keystrokes.

UPDATE: Later yesterday, Carrier IQ put out a
press release addressing the privacy issues about its software.

"Our software does not record, store or transmit the contents of
SMS messages, email, photographs, audio or video," the statement
read in part. "For example, we understand whether an SMS was sent
accurately, but do not record or transmit the content of the SMS.
We know which applications are draining your battery, but do not
capture the screen."

The statement also concisely explains what the Carrier IQ
software is used for.

"CIQ [Carrier IQ] is the consumer advocate to the mobile
operator, explaining what works and what does not work," it said.
"Three of the main complaints we hear from mobile device users
are (1) dropped calls, (2) poor customer service, and (3) having
to constantly recharge the device.

"Our software allows Operators to figure out why problems are
occurring, why calls are dropped, and how to extend the life of
the battery. When a user calls to complain about a problem, our
software helps Operators' customer service more quickly identify
the specific issue with the phone."

It's unfair to jump to conclusions and label Carrier IQ as a Big
Brother, Rosenberg said, until there is proof that the company is
harvesting smartphone users' data for anything else than
improving the phone's performance.

"The work Trevor Eckhart has done raises some legitimate concerns
regarding what this software does on your phone," Rosenberg said.
"I agree that carriers and Carrier IQ should be held accountable
and users should be given more insight into what data is being
collected.

"On the other hand," he continued, "the research presented so far
is not conclusive as to what data is actually being collected and
sent back to Carrier IQ. There is no evidence provided that the
information Carrier IQ is logging is actually stored in any way,
much less transmitted back to Carrier IQ. There's a big diff
between saying 'Carrier IQ doing something when you press a key,'
and 'Carrier IQ logs all your keystroke[s] and sends them to the
carrier.'"

Where's the proof?

John Graham-Cumming is the vice president of engineering for the
San Mateo, Calif., and London-based software firm Causata. On his
blog, Graham-Cumming found it worrying that a smartphone
could log his personal information and send it to a third party.
But, like Rosenberg, he wants people to see through the fear and
look at the facts.

"If you watch the 'security researcher's' video, you'll find that
nowhere does he make the claim that content that the application
sees is leaving the device," Graham-Cumming wrote. "And from the
video, he doesn't appear to try. At no point does he enter a
debugger and look inside the Carrier IQ application, and at no
point does he run a network sniffer and look at what data is
being transmitted to Carrier IQ."

Graham-Cumming added that this "would be a huge story if millions
of smartphones worldwide were secretly sending the content of
text messages to a U.S.-based company. But that's not the story
here, because the 'security researcher' does not appear to have
tried to find out."

How anonymous is the data?

Anonymized metrics data, which is what Carrier IQ says it
collects, means that any number of statistics and log files,
including calls made and websites visited, are stripped of all
personally identifiable data before they're transmitted back to
the company.

Despite the prevalence and value of such anonymized metrics data
from smartphones — Google maps' real-time traffic maps rely on
similar data, for example — it does not automatically mean that
someone is tracking you.

Such misplaced fears came to light in April, when news broke that
the
iPhone tracks its users, and more recently when Sen. Chuck
Schumer, D-N.Y., halted holiday-period test trials of a
smartphone-tracking system for shopping malls that had been set
to begin on Black Friday (Nov. 25).

Rosenberg said he has concerns about whether Carrier IQ is
properly anonymizing the data it receives. But again, he's not
quick to "drink the Kool-Aid" and assume Carrier IQ is at fault.

"I don’t think the proof is there yet that they're violating the
privacy to the extent that it's been described," he said.

How much data is needed?

"I can certainly see how some of the information that Carrier IQ
can collect may be useful for diagnosing and planning related to
coverage and capacity," Chester Wisniewski, security specialist
for the Britain-based firm Sophos, told
SecurityNewsDaily. "The application itself goes way beyond
what is necessary and collects far more than necessary for simple
network troubleshooting."

Carrier IQ's own communications policies, which included suing
Eckhart last month and then just as quickly withdrawing the
lawsuit, don't do the company any favors.

"Privacy should always be a concern," Wisniewski said. "It is
sort of like virginity — once you've lost it, it's gone."

Senator Franken gets involved

Just as he did in May following the accusations that Apple and
Google tracked their smartphone users, Sen. Al Franken (D-Minn.),
is demanding answers.

Franken sent a
letter to Carrier IQ's president and CEO, Larry Lenhart,
yesterday (Nov. 30) seeking clarification about the specific
information the company records and receives, and how it stores
the data.

"I understand the need to provide usage and diagnostic
information to carriers," Franken wrote. "I also understand that
carriers can modify Carrier IQ's software. But it appears that
Carrier IQ's software capture[s] a broad swath of extremely
sensitive information from users that would appear to have
nothing to do with diagnostics — including who they are calling,
the contents of the texts they are receiving, the contents of
their searches, and the websites they visit."